[Zope-dev] startup security status (say that five times fast... well, ok, it wasn't so tough after all)

[Behrens Matt - Grand Rapids]

This is a multi-part message in MIME format.
--------------020707010202090108080308
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

I opted for #2, since it requires no changes to existing start/stop scripts.


> 2.  Enforce the sticky bit on the var directory.  From Solaris' chmod(2) 
> manpage:
> 
>      If a directory is writable and has S_ISVTX (the sticky  bit)
>      set,  files  within that directory can be removed or renamed
>      only if one or more of the following is true (see  unlink(2)
>      and rename(2)):
> 
>         o  the user owns the file
> 
>         o  the user owns the directory
> 
>         o  the file is writable by the user
> 
>         o  the user is a privileged user
> 
> (Privileged user means 'root'.)  We only need to enforce the sticky bit 
> if we start as root and are doing the requisite setuid().  My patch 
> already has a test for this.


Patch is attached, against the current release.  (diff -c, God bless 
Solaris... heh)

-- 
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture



--------------020707010202090108080308
Content-Type: application/octet-stream;
 name="z2_py.diff.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="z2_py.diff.gz"

H4sICKvx1jsAA3oyX3B5LmRpZmYAxVhtk9o2EP7c/IotmdSQGI/h3pnhQ6d3aWkvkLlLJk3azI3O
FqAeWB5JhpBf313JBmMMIV9aDQeHtFqtnn178MuXL+FrN0hXgVRi8sMbmcDvWQKdSwiveqdXvbAD
3TDsPGu3207uhw88hlFkoHsKnW7v9LJ3duVEXm4P+g4n3a5/0r0COwFwPbx/GLztex7+j6/n8F5z
BSIGI0HhsZ/uuVrgDNMBDKXhYKbM4JvQIJPZCpZSPWnIkhhl3ifiiw8siUGMn/2IuorNKKwNUwbt
fFyBktIEuP5+cN33Evko49X69Fs5gbGYcZjJiBkhkwAGY3ccvhgoPsPpBYeUmamPCzwBYWjtHykS
1I8zVhF+grdgyoNYKB4ZqVaBhcze/yQE/L/9P94f3pGKROJFkwmKxHzMspnRdG4BCmiRRNxqsqdG
LIEZZ9Y2Bp9kyh1WkZynSs6F5gWsQ5nw/wbSuhA7Oz3zz85CF2KE+dnpOU6cF5jTyD++xozP0SSE
uqlXOmBqsvBB6oCMCciA5i+3g5vhu4ffRm9ufPiUirjVoqu9IsjgYclU8uDwarZ6OGu13o5+DfCv
2fjabfju64ef74aD4a8+eHdZkohk4gBk2t7r/XDwJzg1kFEEePAqV7YeHuG/wRpWMlNOieYmSwOA
gYUNsZHzOceQiJ3f6nThZjoI8UcxgY5BYXvwWCrnnDRTqUSXei3cjDc2atXLUXsOg3kqlUGXTiZ0
FZ2l9D1fFm6Rrl3rn4vOlX9xdlmUgLoxldokbM77LI4V19rfI0cH9enN+qSdW/dOrShGERbIXCo1
2lkD2ojcQhAsOBvUSU+ctBMnODzEQYk5Q5GJkgTyZhuBtBSz2SYRMe8cdjpSInXOwBxe1xy31QLZ
Xl8hRytdxqXJikwxRZ+YX9DHfFYIfMCMFE2caVWE+ZeIp6aHOaV1ZYnu2AebodsLZPwq5VYd9Pvu
S6PRqhpCI7NK0OZgwk26RFfZbX91P9cIT/YIn1SF+azWhs4xJuDX401YC9eYoHndaYpRyv3BVzdK
YYbU+KZmE96GDraF1ljI66QOKCgGFiQMT9TVxL+qr9emW5/D6N6aeEhdTVRsTiFsst1Tvq29ojXf
UEBW3VFXI2/u7kZ3PjQbWOk8g10DWxmF+wvdgBf0X6uwKo/vks789PWLxnPyAPaSKdNWH8M2FEPR
P1Os7saHSHGsflgIA6zttlMFRR0bW7/d3fx8/TAa3n7slYpQOsZ4wtqbNN8Orh9eD26xOXhLr1UW
EXEf07SJsFLQIaxkPraji+6Zf1FQgNoCed7xL87PNw3s4uTEv+yE5QbmjAiWShjepK60PR/NsHY3
807lsPiArYrutOT4UnxNCZjOO0+Qi9pg3DSMUoEqTY7B3YvCpdWr9Bdc3cq1kmjrr/AzZXZBMqpb
aWx31VygcPlG3Lr81eaC10qmttJSzV6gIydc5xeesgVRJz53/CjGci/nCAFLhFlBNOXRE5bTtSbs
AXP2hOuZIrA8fKdIsIhRv1sKM0VFIB8XQmYay79INI9I2vXiPUhugUYohDXI2QLfz8vFLjiuEt2v
tOHzmy8CI9j7iM18nmk0MOWRGK8wmG0vt2YSvWhnRALg7xp1u8Mbz9iEDCGOsBR6arsjXX1NWb5D
mWObOTUhEOvoybHKyKJtS6y7s2SGHMHa+x3KEo4WFBQZrzgTCCn6FEmuXFpm8V0X1Vk0pdpyGQZe
1akug9Bys+tuwoQShFab+5gnpg2tB/fvHt6Mrm8+/xR2wjDcyTsau/FR0oPXQfosuXNFkRXHX9Nr
aCOipxU8CtOgWEfXvsZ+aIOfUul4TVh2tUy0b93mopfnlTmPveN1saKclXm1jTwPKgoqKVmeps89
7Gp3wxbD2l0usazdxf1Mq/6yB9hW/YYDjKvmJvtZ11HmlJnXUeaU2Vf9BueF3Q1hvf26tlDSqNK2
Xak6HjIYvh750NBYP6MphZStpmgTVokNF6l3bF69D7U3GrUtrjz2xGl+yg6t3J8lBxQVo0Iv9wtX
SeBhtXtSY3PimmruS69vnVRzwg7tPM7lx1DPMg8pFdjyETbejiYs2ZzpJyQC9jmIxp+SSEUY/qBs
Ps7wty+8Hd0P/mxhhf1QEBj3K5Woi7FxKZK1Lqli18YwY5DzaliwWcb3EBEs1oon5sEaQERWB86W
sOyL9eyWeFkCI3Fb1Y9IaS4uetVEq57nvQhPpIfAbi1UNh1+ivKRnn7k2x2QhI1tAHJc98ij3hbq
h3OG/YzQlZByNRdaiwXPG1veHfcp89aNT45LD2RiZpifP8Uq8528q+3V5p7IOMtQIULpHr8cDqfN
GuTBQM/cbD/M0nxNIK0h5ms4xlf+1MuWD3rOyB2nynTxy8eGy78lzbzGCRYAAA==

--------------020707010202090108080308--